Reset Search
 

 

Article

802.1x auth stops working after switch firmware upgrade

« Go Back

Information

 
Title802.1x auth stops working after switch firmware upgrade
Symptoms
After a switch firmware update was performed most end-systems were found to pass dot1x authentication as before with the exception of a few multi-function printers.
 
Environment
Platform:  S-series
Firmware: 8.4x or higher
Printer:     Samsung SCX-4833FD
Cause
Starting with firmware 8.4x the switch sends EAPOL "Request Identity" using version: 802.1X-2010 (3).
It seems the Samsung printer (802.1X supplicant) doesn't reply to a v3 EAPOL request.
Resolution
The end-system (supplicant) must reply to any EAPOL "Request Identity".
  1. If the supplicant replies with "Response Identity" and the same version (3) then all the EAPOL exchange follows EAP v3 rules. 
  2. If the supplicant replies with an EAP v1 "Response Identity" then the EAPOL exchange follows EAP v1 rules.
The end-system is not IEEE compliant, the vendor must provide a firmware update that fixes its behaviour with regards to EAPOL response.
 
Additional notes
Excerpt from IEEE specifications: 

"
For an implementation that supports version A of the protocol, a received EAPOL PDU of a given Packet Type that carries a protocol version number B is interpreted as follows: 

d) Where B is greater than or equal to A, the EAPOL PDU shall be interpreted as if it carried the 
supported version number, A. Specifically: 
1) All EAPOL PDU parameters that are defined in version A shall be interpreted in the manner 
specified for version A of the protocol for the given EAPOL PDU Packet Type. 

2) All EAPOL PDU parameters that are undefined in version A for the given EAPOL PDU Packet 
Type shall be ignored. 

3) All octets that appear in the EAPOL PDU beyond the largest numbered octet defined for 
version A for the given EAPOL PDU Packet Type shall be ignored. 
"
As a consequence of the rules stated in d) and its sub-bullets, a version 1 implementation must reply to a v3 Request as it would be a v1 PDU.

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255